[Pkg-shadow-devel] Bug#505271: Bug#505071: login tty mis-determination (see bug#332198)

Nicolas François nicolas.francois at centraliens.net
Mon Nov 24 00:15:14 UTC 2008 

On Sun, Nov 23, 2008 at 10:29:55PM +0100, jmm at inutil.org wrote:
> On Sun, Nov 23, 2008 at 10:24:26PM +0100, Nicolas François wrote:
> > 
> > I made an upload for Etch (-7etch1, also to fix #505271)
> > Moritz, if you can't see it, maybe I did it wrong.
> 
> I don't see any trace of it on klecker? Can you please send the debdiff
> to team at security.debian.org?

Here it is.

dupload --to anonymous-security shadow_4.0.18.1-7etch1_i386.changes
is still in my history, and I don't think I interrupted it.

I did not prepare anything for oldstable, but the same patch should still
apply if needed.

Best Regards,
-- 
Nekral
-------------- next part --------------
diff -u shadow-4.0.18.1/debian/patches/series shadow-4.0.18.1/debian/patches/series
--- shadow-4.0.18.1/debian/patches/series
+++ shadow-4.0.18.1/debian/patches/series
@@ -50,0 +51 @@
+303_login_symlink_attack
diff -u shadow-4.0.18.1/debian/changelog shadow-4.0.18.1/debian/changelog
--- shadow-4.0.18.1/debian/changelog
+++ shadow-4.0.18.1/debian/changelog
@@ -1,3 +1,12 @@
+shadow (1:4.0.18.1-7etch1) stable-security; urgency=low
+
+  * The "Curé nantais" release
+  * debian/patches/303_login_symlink_attack: Fix a race condition that could
+    lead to gaining ownership or changing mode of arbitrary files.
+    Closes: #505271
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Sat, 22 Nov 2008 16:04:04 +0000
+
 shadow (1:4.0.18.1-7) unstable; urgency=low
 
   * The "Pélardon" release
only in patch2:
unchanged:
--- shadow-4.0.18.1.orig/debian/patches/303_login_symlink_attack
+++ shadow-4.0.18.1/debian/patches/303_login_symlink_attack
@@ -0,0 +1,23 @@
+Goal: Fix a symlink attack
+
+Fixes: 505271
+
+Status wrt upstream: Fixed upstream
+
+--- a/libmisc/chowntty.c
++++ b/libmisc/chowntty.c
+@@ -119,8 +119,12 @@
+ 		exit (1);
+ 	}
+ 
+-	if (chown (tty, info->pw_uid, gid) ||
+-	    chmod (tty, getdef_num ("TTYPERM", 0600))) {
++	/* is_my_tty above ensure that tty is the same device as stdin.
++	 * there could be a race condition between the above check, and
++	 * changing the ownership/mode.
++	 */
++	if (fchown (STDIN_FILENO, info->pw_uid, gid) ||
++	    fchmod (STDIN_FILENO, getdef_num ("TTYPERM", 0600))) {
+ 		int err = errno;
+ 
+ 		snprintf (buf, sizeof buf, _("Unable to change tty %s"), tty);

More information about the Pkg-shadow-devel mailing list